EPISODE 070 – Advancing Exposure Management

On the latest episode of Agent of Influence, host and NetSPI Field CISO, Nabil Hannan, sat down with Jorge Orchilles, Senior Director at Verizon, to discuss the shift from traditional vulnerability management to modern exposure management, and the critical role proactive security plays in staying ahead of threats.

Discover advancements in offensive security, the rise of AI-driven red teams, and how integrating domains like IoT, cloud security, and identity management shapes the future of cyber resilience.

Packed with practical insights and forward-thinking strategies, this episode is a must-listen episode for anyone navigating the complexities of today’s security landscape.

Show Notes: 

• 02:47 – The Evolution of Vulnerability Management and Exposure Management
• 09:32 – Pentester, Pentesting Team, Red Teamer, and Red Team
• 12:20 – Vulnerability Management Versus Exposure Management
• 15:48 – Improving Our Approach to Training
• 21:31 – Training New Generations in Cybersecurity
• 23:40 – New Naming Concepts and What They Mean
• 29:16 – What Teams Can Be Doing to Stay Proactive

Transcript between Jorge and Nabil

Topics: Proactive security, offensive security, vulnerability management, exposure management, red team, purple team, AI red team, ethical hacking, penetration testing, breach and attack simulation, attack path, generative AI, cybersecurity training, SANS Institute.

Nabil: Hi everyone. I’m Nabil Hannan, field CISO at NetSPI, and this is Agent of Influence. It’s not every day that you get to sit down with someone that has been referred to on the internet as a legendary pentester. So Jorge, it’s an honor to have you here today, and for the audience that doesn’t know, Jorge and I go way back. We’ve been we’ve been colleagues, had client-vendor relationships, and over time, we’ve built a friendship as well. And Jorge is someone who is as comfortable on a podcast as he is maybe at a Taylor Swift concert, and we’ll get into all those details as well. So Jorge, welcome and why don’t you start by telling us a little bit about yourself.

Jorge: Thank you for the invite. For the record, I did not go to Taylor Swift concert. I only facilitated it for my daughter, Dad of the Year Award for the next decade or so. Thank you for having me on. I really appreciate it. You know, we go way back and we’re going to talk about all my favorite topics, which is offensive security or proactive security. So very excited to be here.

Nabil: So, why don’t we start and maybe you tell us a little bit about where you are professionally today?

Jorge: Sounds good. I’m at Verizon right now, so a cell phone company that you might have heard of, and I’ve been there for two years, running a team. It was a new team built by my boss, who I actually worked with earlier before, and the team is called Readiness and Proactive Security. My boss came up with that name two years ago when this position was getting created. It was a really cool opportunity, because there were a lot of changes going on in the org at that time, and in particular, it didn’t have much in the offensive security space. So I got to take over a team that is called Enterprise Vulnerability Management, which we’ve rebranded to Exposure and Vulnerability Management. We’re going to talk about that penetration testing team, as you mentioned, and an enterprise red team, a dedicated purple team that does exercises, but also has operationalized purple teaming. And the latest team that I got to build there, also with someone you know, Tim Schultz and Heather Lynn, was the AI red team. So I think we were one of the first, if not the first, AI Red Team outside of your Frontier model makers. The Anthropics and the Googles and the Metas, so lots of fun stuff in the entire team.

02:47: Can you share with us your perspective on maybe what it took for the evolution and shift to happen from thinking of security and vulnerability management as a traditional activity to now it being a proactive activity that organizations need to think about?

Nabil: So, let’s get started with the naming of your team as the first thing. It’s a relatively new concept, I think, where teams are now being called proactive security, whereas before, it was all focused on offensive security, or just security in general, but I think the term proactive is gaining a lot of traction. Can you share with us your perspective on maybe what it took for the evolution and shift to happen from thinking of security and vulnerability management as a traditional activity to now it being a proactive activity that organizations need to think about?

Jorge: 100%. So, let’s go all the way back to the 1960s before either of us was born. Great book— Hackers by Steven Levy, who is director or editor at Wired, talks about the original hackers back in the day, in the model railroads in MIT, and the term hacker meant, you know, being able to understand how technology works and make it work for you, which, in today’s age, we should be using that term. Unfortunately, the 80s happened. The 90s happened. Right? All the malicious hackers started doing their work. And unfortunately, media picked that up, and that term hacker kind of started becoming a bad thing. And you know, going back to when I worked at Citigroup, big financial bank, right? You could say “we’re building a hacking team,” and they would be like, “no, what are you talking about? That sounds illegal.” So we started with the ethical hacking term, and using unethical hacking for the malicious folks. And from there, it’s kind of grown, right? All of offensive security has started from the 90s, looking at a firewall a service that was listening. You know, we probably remember the FTP buffer overflows, or you would fuzz and send a bunch of A’s and get EIP and all that fun stuff. But then it started evolving, right? We started going to web apps. Even our networking gear decided to go to web apps, which continues to be a problem today. So what’s old continues to be up and coming. From there, offensive security sounded a little better than ethical hacking. And then at the end, is ethical hacking the right word we even wanted to use, like you start getting into those terms, and where it’s shifted today is essentially what we’ve always wanted to do, which is identify and remediate vulnerabilities, misconfigurations, anything a malicious actor would and can take advantage of. We wanted to remediate that before they did. Hence the term proactive, right? And think it sounds a lot better, definitely more professional. Maybe we’re just getting old and getting away from the ethical hacking or hacker mindset days. I think the mindset is definitely there, but the terminology is definitely evolving. And you know, we’ll talk about how this has become more than just finding an edge device and exploiting it to gain root and call it a day to all the work we have to do nowadays to actually gain our objectives.

Nabil: I think there’s a lot of power when it comes to naming something appropriately. If your team has named something that feels more adversarial in nature, it often builds more friction against other teams. But if your team has a more nurturing sense to it and is being more proactive and kinder and more thoughtful, I feel like it harbors better partnership across the organization in general, but goes back to show how important naming something correctly is. But then again, the other piece that I find interesting talking to various CISOs is some of the best CISOs in the world are actually really good at marketing. They’re more about how they communicate, how they market, what they’re doing, and what’s necessary, versus actually being like deeply technical and trying to explain all the technical challenges to people, because not everyone is technical, and they need to get a better context and better perspective on everything, which is what I find fascinating today.

Jorge: Well, and going back to the city group days, right? Joining this Ethical Hacking Team, I was like the seventh person to join back in 2010, or something like that. But our CISO was Charles Blanner, which, of course, you know, and he was deeply technical. I mean, if you look up the Kerberos RFC, like who actually wrote it when he was one of the contributors to it, so he was definitely technical, and that helped. Everything has its pros and cons, right? But when we built the red team at City, which was one of the first internal red teams, we had always had external Red Team engagements, but when we built it internally, I remember on his whiteboard at in the office in the fusion center that had just got built, and it said in big red letters, Red Team Everything. Like you go into the CISOs office and you read Red Team Everything, and you’re like, “this person knows what’s up. This person really wants to be proactive and find the stuff before the threat actors.” This isn’t about compliance or regulators or anything like that. This is about finding, and to your point, about adversarial behavior. Recall the first red team engagements we did like we were the last Coke in the desert, you know, like we came in, like we boned. We dropped some PowerShell. Y’all didn’t see anything. We got root here. We got this there, and obviously looking back, that was not the way to make them feel like shit. And I think that’s one of the reasons why purple team really took off, like as a term. Bad job on our part from a marketing perspective, right? It’s like red and blue working together. Should we call this purple? Well, thanks. My five year old daughter couldn’t come up with that one, but it was so successful because of that, right? Because it wasn’t an adversarial, it was working together. Because everything we did in ethical hacking, proactive security, offensive security, was always for the better of the company. We were always on the same team, being prepared or being ready for the real threat actors to come and make sure that we could catch them and not end up on a newspaper header.

09:32: What’s the difference between a pentester and a pentesting team and a red teamer and a red team?

Nabil: So we’ve talked about this multiple times on the podcast, but I feel like you might have a different perspective on it. So let me ask you this, what’s the difference between a pentester and a pentesting team and a red teamer and a red team?

Jorge: I love this question, because we debated it so much, and it’s all about the objectives, right? Where do you draw the line? Where does it change? What are you trying to accomplish? Pentesting is focused on finding vulnerabilities in technology, whereas a red team engagement is looking at people and process more than technology. Are you going to exploit something? Maybe, maybe not. It’s a means to an end. While in a pentest, generally, your scope is going to be this app, this server, this database server, this app server, etc., so you’re very boxed in, and you’re not really testing the people. You are testing the technology, the test of the people on the red team side is you need to act and be stealthy. They shouldn’t know that this is coming, because their behavior, if they know it’s an internal or even external red team, changes, and there, your metrics are different. In pentesting, the finding’s either open or closed, and it has a risk rating of critical, high, medium, low. Info you might throw priority in there, depending on what version CBSs you follow, but in red team, the metrics are way different there. The metrics on red team, from the red team perspective, are initial time to access. How long did it actually take you to get that access onto the system? How long did you have persistence? How long did it take you to move? How long did it take you to get the objective on the blue team side? It’s how long did it take you to catch them? So time becomes a metric, and a lot of the things that red teamers do is just living off the land, right? It’s not something that you can just stop. It’s not something you can block. Whereas, in a pentest, if you find a vulnerability, you can change the configuration on it to not have that camel default vulnerability enabled, right? Or you can patch it very, very easy, open, close. Same with vulnerability management, right? As we jump into exposure management, this whole thing’s gonna change. We are going from a vulnerability being open to an attack path. How do you score an attack path? That involves an identity, that might involve an internal system, might involve an external system. It’s evolving. We’ve seen this before, and I’m just excited to be, you know, part of the folks doing it again and figuring it out again. And you know, if we’re wrong, let us know. Let us know what works as a community, we’ve always kind of made this happen. We thought about the definition of pentest and red team more than we focused on a how about we just provide value.

12:20: What is your thought process on vulnerability management versus exposure management, and how are you approaching exposure management today? 

Nabil: Speaking of vulnerability management versus exposure management, tell us about how you’re thinking about it, because it’s definitely a shift we’ve seen accelerate in the last 10 years. So what is your thought process on it, and how are you approaching exposure management today?

Jorge: I will definitely give NetSPI credit where it’s due on this one, because where it clicked in my head, and I will try to explain it here, was actually at the customer advisory board meeting that we had down here. Actually, it was down in South Florida. That’s where it clicked. I don’t know if it was something you all said or something the other customer advisory board members said, but that’s where it finally clicked, that today and just how we have grown in technology, we’re always interested in that new thing. So a very simple example, back in the day, we had a server. It had a service listening. We talked about FTP right vulnerability scanning and vulnerability management would identify that port is open, would find that there’s a vulnerability there, and tell you what you need to patch it with. Using CVSS, it’ll tell you that’s a high, medium critical, or whatever. Now, we then had Cloud, right? And what happened with Cloud? Cloud wasn’t under vulnerability management, it became its own thing. So now your company had a cloud security arm or department, right? Depending on your size, of course, and then that kind of became its own thing, right? So it’s like, oh, those people know Cloud, and they’re looking at a GCP or Azure Portal or whatever product they’re looking at, and they’re fixing mostly configurations today. There’s a couple of vulnerabilities, few that just came out, but they’re kind of focused on that, and we didn’t bring them together. OT and IoT, same thing, you have these folks that worked in building management systems or cameras or access management, your corporate security. Those folks didn’t really care because there weren’t patches for that stuff, and it was all on a different network. You can’t get to it. We’re good. And now it’s like, oh, maybe we should see where there are vulnerabilities and which ones are exploitable, and let’s fix that. So the exposure management piece essentially brought all of this together into one view. No longer are you just looking at a vulnerability on a server, a vulnerability on a web app, a vulnerability in OT, a vulnerability in identity right in Active Directory in Azure, in IAM, inside of GCP. You can’t look at them in silos anymore, because if you do, you’re making the same mistake that we always did, which is you have too many things to fix, and you can’t fix them fast enough. Like we’ve moved beyond that, like we know we can’t fix everything fast enough. So where do we focus on? And that’s where I think exposure and proactive security in particular, is kind of teaming in with the businesses to understand, like, hey, you might have 2000 vulnerabilities, but this one right here and that unconstrained delegation—those two need to get fixed this week, like you have five days for that. The others, put them in your patch cycle. Yeah, I know there’s some criticals there, but don’t worry about those, because they’re internal. It takes all this stuff to actually compromise it. It’s not your priority, even though the CVSS says it’s a critical.

15:48: What did you learn from delivering training about the mindset of people that are taking security training, and how can we maybe improve an approach to making sure that we are educating not just deep technical training, but the general masses on the impact that every action that they take has on either their personal security or just the security of the business as a whole?

Nabil: I think it goes to show you that context is important as you’re making these decisions, it’s not just about a certain risk score, but it’s more about what is the broader impact, and how does the business get impacted overall with these types of issues? So I do want to come back to more of the exposure management stuff. But before we get too far, I think you mentioned something in passing which I want to highlight, which is culture and being able to build collaboration across different groups in a company. You spend a lot of your time in training and delivering training, I want you to tell us a little bit about what you were training, but what I’m more interested in is, what did you learn from delivering training about the mindset of people that are taking security training, and how can we maybe improve an approach to making sure that we are not just deep technical training, but educating the general masses on the impact that every action that they take has on either their personal security or just the security of the business as a whole?

Jorge: I’ve taught for SANS for about 15 years. I started teaching a two day virtualization security class because that’s what existed before Cloud. VMware was the main one back then. We built a two day class on that. We built a two day class on virtualization security, which then expanded and became like a six day private Cloud class, which is essentially how you run virtualized infrastructure. I think what I like the most about teaching is that you are always learning. You will learn something new every time you give a class, whether it’s because you really need to understand exactly what you’re talking about, or someone comes up with some area you never saw before, or they’re just asking a question that’s expanding your thought process, which I think is probably the most important thing for cybersecurity, that thought process of thinking outside the box, of “this is how it works right now, but what can it do later?” That whole process, to me, is the most important for anyone, not even just in cybersecurity. It’s in anything, right? And any problems come up, you need to understand all the factors, understand how the things work, and make them work to your advantage or for the advantage of whatever your objective is. So yeah, taught quite a bit in SANS, and SANS has a numbering system that’s similar to university, right, where you have 300 level classes, 400, 500 and yes, my focus was always on the deeper technical ones, 500, 600 levels. And there you do definitely get very technical. They are known for that the amount of technical ability you need to know. What we focus on is, as a human, you learn differently. You learn differently than I do than the next person, right? And the way that we make that at SANS and also an author, so going into that is some people learn by reading something, some people learn by seeing something, some people learn by hearing something, and some by doing, or the combination of all those in different, you know, bar graph levels of knowledge, right? Like, maybe you have to read something first, then you hear it, and then you do it, and that’s your method of doing it. Or sometimes you’re trying to do something and you’re like, I’m not gonna read the manual, you know, like, I’m not reading a manual. Do you ever read the manual only after hitting my head against the wall a few times? But that’s my way, right? Like, that’s my way, not necessarily right or wrong, and that’s where I’m getting at there’s all these different ways. So you take one of our courses, right? The red team operations and adversary emulation, you’re getting the books that have the slides and the course where you’re getting a live instructor, whether it’s live online or in person, telling you stories like not reading the slides, because you can do that on your own, then you’re getting the on demand material, which is essentially the authors teaching their area. So you end up hearing different stories of different ways. Stories are a great way to learn. Then, of course, you have the lab access where you’re doing it over and over and over again. Joshua Wright has security 504 right now. He’s the main author there, talks about how the human mind forgets things as time passes. So if you’re not deeply technical, and then you go take a very technical course, regardless of what it is, you know this right now, but a week later, you’ve lost a little bit. A week later, you’ve lost a little bit. It’s because you haven’t reinforced it. So reinforcement is very, very important as well, especially for us, right? We both started very technical, and now we’re in meetings and PowerPoints and Excel all day, and it’s like we have to do it, right? So I think that’s important. It’s only the way that you learn the information that’s in front of you, but also how you work to retain it. And it is work at the end of the day. You can love cybersecurity, like we both do, but it’s work. 

21:31: Do you think we’re doing the right things to evolve how we teach the future generations on cybersecurity? What do you think needs to happen to evolve how we train future generations? 

Nabil: Do you think, in the age of social media and shorts and little clips of videos here and there, and people having much narrower attention span than they did in the past, do you think we’re doing the right things to evolve how we teach the future generations on this stuff? Because I personally don’t see the traditional methods working anymore. I can’t imagine someone sitting in a classroom for like eight hours or 16 hours over two days, taking a course. I did it back in the day. You’ve taught many of those back in the day, but it just doesn’t seem like that’s what interests people anymore, and the attention span is not there. So what do you think needs to happen to evolve how we train the future generations on this stuff?

Jorge: Yeah, I think understanding how it is that they’re learning. Funny. You brought this up and remind me Rob Lee, who works at SANS and you know, old, old, old school Mandiant guy. Just a couple weeks ago, he used AI to essentially take a recording of his voice explaining, I think it was salt typhoon, and he explained it in his traditional SANS voice and the video was a minute and a half. Anyone could watch it. You and me were fine. Then he asked the Gen AI to do it for a younger generation that’s maybe in their 20s. And it used all these words that my daughter uses, like rizz and COVID and all this stuff, and it was surreal, because you’re watching, like, obviously, it’s not him, but it’s him. Gen AI is talking with these words I know for sure he would never say, and then I don’t know what he actually did with the video. It would definitely be interesting to see. I definitely think people are thinking about this. It’s gonna be interesting to see how it evolves. Maybe we need to make little shorts of podcasts that are just 30 seconds with little tidbits, and no one watches the other 30 minutes of us talking about old school hacking. Maybe they don’t care anymore. They just wanted to get the best parts and move on.

23:40: What are your thoughts on new terminology and the new naming of this concept of adversarial, exposure, validation, and how are you thinking about it?

Nabil: Exactly. Let’s go back to the overall topic about exposure management. And I feel like in the 20 years or so that I’ve been in the cybersecurity space, there’s this influx of acronyms that keep popping up, and I want to blame someone. Sometimes it goes to the analysts, maybe the ones that are most popular. They keep coming up with new acronyms, and everyone rushes to adopt the new acronyms. There’s a new one I heard. I want to make sure I get it right, adversarial, exposure, validation. What are your thoughts on this new terminology and the new naming of this concept of adversarial, exposure, validation, and how are you thinking about it?

Jorge: I honestly don’t too much. I mean, every maybe year, I will pull up some papers on some of these. Right now, I did because of how I wanted to change the name of our team to exposure and vulnerability management. I’m like, I can’t be the only one thinking this way. And then you find some other people doing it, and you’re like, All right, cool. We’re kind of in line, but yeah, name’s a name, right? And words matter. So we got to make sure that what they’re saying are actually true before you get to that, like the whole automated red team. I hated that word. I’m like, “no, you can’t do this. Stop.” And that one, I think, has gone away. I think it was cart continuous, automated red teaming, automated cart. That was a terrible acronym, too. So I’m glad that one went away. Now there’s CTEM, which kind of makes sense, like through threat in there. The one I also didn’t like was the whole breach and attack simulation. I am getting to this answer, right? Because that’s essentially what this has become. So when breach attack simulation came out, and I remember, because I was at City, we didn’t just look at products to bring in, but we had city ventures, so we actually got to see some of these new products and be like, this makes sense or not. They never actually listened to us, but it was still cool to play with it. I remember that was 2018 maybe when these were coming out of stealth, and it was like, this thing is replaying a PCAP in your environment to see if you detected it. Like, okay, how can I find this valuable right now? Why are you replaying a PCAP and same? Then they’re like, all right, maybe we’ll replay IOCs to see if your threat hunt game is on, or feel like your signatures are actually working. It’s like, why are we talking about signatures? It’s 2020, at this point. So that was like original breach on attack simulation. Then, as you know, I worked at a company where we refused to use the term breach on tax attack simulation. We wanted to actually emulate the actual procedures. I think it was an industry. We’re still not there. This was just like a new term for it, I would say, and if you do have an exposure management platform where you can actually see your attack surface management, you can’t see your identity, you can see the internal systems. You can see your vulnerability management program. You can see OT, IoT, and you can actually build an attack path. Then the next step is to validate that if that attack path were to be leveraged, that there would be controls in place to prevent, or at least detect an alert and Gartner a response. So that’s what I think it should be. I think I’m far off on what people are selling based on the new term. Because these companies are like, I do breach and tax simulation today, there’s a new term. Oh, never mind. I don’t do bass anymore. I do this now. It’s like, no, you don’t, because that is different. It has to be different, if not, why? Why’d you come up with a new name? So there’s a lot of marketing involved, which is sad. Let’s say there’s a vulnerability, something simple, a vulnerability out on an edge device. And that edge device, let’s say it’s a VPN that would allow you to gain internal access to an environment with the access of root on that system, you can then move laterally to other systems that may not have EDR, right? I’m particularly picking on something that doesn’t have EDR. And then, as part of this exposure validation, you’re like, all right, can this actually be exploited as a configuration there to allow this exploitation? If not, then your chain’s already broken, right? Let’s say it does work. Now, on this system, is the management interface, something that will actually allow you to move laterally to here or there with this identity. For this identity, you then start actually deep diving into them. There’s no actual automated way of doing that, like the automated way of doing it, like that host has a vulnerability, but it’s running EDR, and EDR has a control for that. So you would get stopped. I think that’s what it’s doing, which at the end of the day is just passed. 

29:16: Given the pace at which technology is changing now, especially with the acceleration we’ve seen with generative AI’s popularity and also just general availability of different types of models at your disposal,  what are some things security teams need to be thinking about and doing to make sure they can continue to be successful in accomplishing their objectives, let’s say in the next two to three years?

Nabil: Given the pace at which technology is changing now, especially with the acceleration we’ve seen with generative AI’s popularity and also just general availability of different types of models at your disposal, what are some things security teams need to be thinking about and doing to make sure they can continue to be successful in accomplishing their objectives, let’s say in the next two to three years? 

Jorge: The easy answer is to actually leverage it and see how you can leverage it. A lot of companies straight up came out and said, “no, don’t use this, you’re gonna leak data.” Some companies leak data, right? So they were right in some sense. Today it’s like any new technology, right? A transformational technology, not any new technology, any transformational technology like Cloud, think the world wide web. We had to figure out how it worked, and I’ll use it. When Cloud came out, we weren’t jumping to it. We weren’t letting teams sign up for SaaS services, even though they were with the company credit card. I think it’s the same here. We need to understand how it works and stay on top of it, because it does change, like the pace of this one, compared to when it was Cloud. Like Cloud, I remember we were doing that in 2008. Adoption at a large financial occurred maybe into 2018 so we’re talking, let’s say, 10 years. Just for a sake of this example, that same company that blocked ChatGPT in November 2022 probably already has an internal chat bot that everyone can use, right? So like, well, it’s way faster, but we need to figure out how to use it for us, and then be aware of how it can be used against us. Up until now, we’ve just seen it really facilitate things that humans could already do. Like you can craft a phishing email, right? Like, that’s a typical example, but even looking at some of the stuff Google Project Zero is doing, it’s like they came up with an LLM that can find vulnerabilities inside of binary, right? Like we can do that too, but takes a lot of time and that’s just making it quicker. So will it find a zero-day? Maybe because it’s a vulnerability we didn’t know about, someone didn’t know about and it’s just way faster. So yeah, we gotta stay on top of it. 

31:35: With the changes happening in the Formula One teams, given the state of it today, who’s your favorite team? And what’s your favorite part about attending an F1 event?

Nabil: So at this podcast, we like to talk about non work related things. So I have a couple of different things I want to learn from you. Number one, with the changes happening in the Formula One teams, given the state of it today, who’s your favorite team? And what’s your favorite part about attending an f1 event. 

Jorge: Yeah, so I am a big F1 fan. We have a fantasy league called InfoSec. F1 goes back to the days when we call the InfoSec and I love Formula One because it’s very international. In the US, people are just now getting into it, which I love. It’s like more people to talk to ever since Drive to Survive came out on Netflix, it’s just been great. What has not been great, though, is that it’s only been one team winning over and over and over. So when I started with my father-in-law, who’s Brazilian, so big Senna fan, right from back in the day, it was Vettel that won four years in a row. Then it was Hamilton that won like six. I think Rosberg won in the team there. But this is all Mercedes, and now it’s been Max, right? So I want someone else to win. And when it was Max and Hamilton in that last lap of that season, I was going for Max. I was singing, Max, Max, Max, Super Max, Super Max. Shout out to all my friends from the Netherlands, because they kept being Max fans, and I’ve turned away from them. I am a Ferrari fan. I would like to see Ferrari get back to its glory and see red as the constructor champion. And Hamilton just came over. So I think it would be epic if he won, and he could prove that he can win with more than just, you know, one team. Technically, he won with two, but do it again as a 40 year old, that would be epic. And rumors. I mean, today we’re recording on April 1. So we did get a couple of our friends saying that Max left Red Bull this morning because he wasn’t satisfied with the Liam Yuki trade that just occurred. And it was kind of funny. Some people fell for it a little bit, right? However long it took him to Google that one, but, but yeah, Formula One’s a lot of fun. I’ve gone to Miami, Austin, Mexico, and Brazil. This year, I’m going to do Mexico again for sure, and figure out where else I always like going to different ones to get the atmosphere, because it’s so international. In Mexico, they’re shouting one thing, and in Brazil, they’re shouting another. And it’s pretty cool. It’s a fun sport. 

34:41: So speaking of international sporting events, then was we have to talk about FIFA. So who are you rooting for, and which game do you think you’ll be able to attend?

Nabil: So speaking of international sporting events, then was we have to talk about FIFA. So who are you rooting for, and which game do you think you’ll be able to attend? 

Jorge: FIFA Club World Cup is happening in the United States, which I also love. I’ve lived here since 1989 and soccer wasn’t that popular. They did host the 1994 World Cup, which was awesome. I was young, then finally got into it, because they would actually show it on TV. It wasn’t until I moved down to Miami, actually, I was able to watch regular clubs play. My club is Real Madrid, so they are the kings of Europe, having won the Champions League 15 times, having won the Club World Cup, or the Intercontinental Club, as it used to be, where you had the best team in South America win against the best team in Europe. Now it’s expanded, because the world has globalized. You have Christian Ronaldo. I went to Saudi Arabia, right? Like they’re bringing teams. The US into Miami is taking Messi obviously, or FIFA is taking Messi. So I’m definitely going to the final. So hooray, have that one secured. Regardless of who goes, I will be there, and I’ll be watching the Madrid game here. 

36:30: Do you consider yourself to be a Swiftie, and what is your favorite Taylor Swift song, and is it the same as your daughter’s favorite Taylor Swift song? 

Nabil: Yes, sir. So speaking of that, here’s maybe the toughest question today, do you consider yourself to be a Swiftie, and what is your favorite Taylor Swift song, and is it the same as your daughter’s favorite Taylor Swift song? 

Jorge: I have an 11 year old daughter who is 100% a Swiftie. I have to consider myself a Swift because I know way more than I need to about her. Like I know her date of birth is December 13, 1989. Why should I know that? I don’t even know some of my cousins’ date of birth. My daughter’s favorite song changes about once a month right now. It’s some 10 minute long song. I don’t even know the name of it, we might have to cut that part out. She’ll probably watch this because it’s gonna be on Spotify. I had to create her own Spotify family account because my year in review on Spotify was just like a mess. I’m like, we’re creating a family account, and now you do your thing. My favorite Taylor Swift song is Look What You Made Me Do, which is on Reputation. 

Nabil: Well, Jorge, it was a pleasure, as always. Thank you for your time, and hopefully we get to do this again soon. 

Jorge: Sounds good. Thank you for having me. 

Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence. If you want to be a guest or want to recommend someone, please fill out this short form to submit your interest.